| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Aug 2018 10:50:01 +0800
From: Mao Wenan <maowenan@...wei.com>
To: <dwmw2@...radead.org>, <gregkh@...ux-foundation.org>,
<netdev@...r.kernel.org>, <eric.dumazet@...il.com>,
<edumazet@...gle.com>, <davem@...emloft.net>, <ycheng@...gle.com>,
<jdw@...zon.de>
CC: <stable@...r.kernel.org>
Subject: [PATCH stable 4.4 0/9] fix SegmentSmack in stable branch (CVE-2018-5390)
There are five patches to fix CVE-2018-5390 in latest mainline
branch, but only two patches exist in stable 4.4 and 3.18:
dc6ae4d tcp: detect malicious patterns in tcp_collapse_ofo_queue()
5fbec48 tcp: avoid collapses in tcp_prune_queue() if possible
I have tested with stable 4.4 kernel, and found the cpu usage was very high.
So I think only two patches can't fix the CVE-2018-5390.
test results:
with fix patch: 78.2% ksoftirqd
withoutfix patch: 90% ksoftirqd
Then I try to imitate 72cd43ba(tcp: free batches of packets in tcp_prune_ofo_queue())
to drop at least 12.5 % of sk_rcvbuf to avoid malicious attacks with simple queue
instead of RB tree. The result is not very well.
After analysing the codes of stable 4.4, and debuging the
system, shows that search of ofo_queue(tcp ofo using a simple queue) cost more cycles.
So I try to backport "tcp: use an RB tree for ooo receive queue" using RB tree
instead of simple queue, then backport Eric Dumazet 5 fixed patches in mainline,
good news is that ksoftirqd is turn to about 20%, which is the same with mainline now.
Stable 4.4 have already back port two patches,
f4a3313d(tcp: avoid collapses in tcp_prune_queue() if possible)
3d4bf93a(tcp: detect malicious patterns in tcp_collapse_ofo_queue())
If we want to change simple queue to RB tree to finally resolve, we should apply previous
patch 9f5afeae(tcp: use an RB tree for ooo receive queue.) firstly, but 9f5afeae have many
conflicts with 3d4bf93a and f4a3313d, which are part of patch series from Eric in
mainline to fix CVE-2018-5390, so I need revert part of patches in stable 4.4 firstly,
then apply 9f5afeae, and reapply five patches from Eric.
Eric Dumazet (6):
tcp: increment sk_drops for dropped rx packets
tcp: free batches of packets in tcp_prune_ofo_queue()
tcp: avoid collapses in tcp_prune_queue() if possible
tcp: detect malicious patterns in tcp_collapse_ofo_queue()
tcp: call tcp_drop() from tcp_data_queue_ofo()
tcp: add tcp_ooo_try_coalesce() helper
Mao Wenan (2):
Revert "tcp: detect malicious patterns in tcp_collapse_ofo_queue()"
Revert "tcp: avoid collapses in tcp_prune_queue() if possible"
Yaogong Wang (1):
tcp: use an RB tree for ooo receive queue
include/linux/skbuff.h | 8 +
include/linux/tcp.h | 7 +-
include/net/sock.h | 7 +
include/net/tcp.h | 2 +-
net/core/skbuff.c | 19 +++
net/ipv4/tcp.c | 4 +-
net/ipv4/tcp_input.c | 412 +++++++++++++++++++++++++++++------------------
net/ipv4/tcp_ipv4.c | 3 +-
net/ipv4/tcp_minisocks.c | 1 -
net/ipv6/tcp_ipv6.c | 1 +
10 files changed, 294 insertions(+), 170 deletions(-)
--
1.8.3.1
Powered by blists - more mailing lists